La Lectura Y Su Comprensión En Las Personas Sordas

With the number of systems, networks, Web sites, email addresses, accounts, and other secured services that we have access to, it gets quite difficult to always come up with something unique and memorable. Perhaps you have the discipline to generate secure passwords, but I often find myself using the same password on multiple systems. This is not a good practice, and it can easily be avoided by employing an automatic password generator.

A few years ago, it would have seemed ludicrous that one would need a program to generate passwords. Password security, however, now affects millions of households and millions of people who have no training in the proper password-picking procedures (yes, I meant to type that). No matter how random we think our passwords are, human nature tends to stick to cer- tain patterns. The best way to choose a new password might be to let a piece of software choose it for you.

Installing and Using APG

A very simple and effective password generator is APG (Automated Password Generator). It boasts several features that make it useful for an entire network, or a single user:

ANSI X9.17 RNG (Random Number Generator)

Pronounceable (and thus memorable) password generation

Password Attacks CHAPTER5 175

5

To test this theory, create a few accounts with what you think would be strong passwords, and then run Crackagainst them. See how long it takes before Crackgenerates a valid match.

N

Length specification Built-in validation checks Network and standalone versions

For our purposes, we’ll just be looking at the standalone version now, but, if you’d like to sup- ply a password generator to your entire network, APG can do that as well—with extensive access logging included. Download APG from its Web site at http://www.adel.nursat.kz/ apg/download.html.

After downloading, uncompress and unarchive the source code: [root@pointy passwd]# tar zxf apg-1.1.61b.tar.gz

Next,cdinto the APG source code directory and compile the application using make standalone:

[root@pointy apg-1.1.61b]# make standalone

gcc -Wall -o apg rnd.c ./cast/cast.c pronpass.c randpass.c restrict.c errors.c apg.c

That’s all there is to it. You’re now ready to use APG. There are several command-line options that can alter the way that APG works. Table 5.12 documents the available switches.

TABLE5.12 APG Command-line Switches

-S/-N/-C/-L These switches alter the type of password generated (this is useful only in conjunction with the -aswitch).Sgenerates symbol pass- words,Ngenerates numbers,Cgenerates uppercase letter sequences, and finally,Lcreates lowercase passwords

-r <filename> Checks the generated passwords against a dictionary file to ensure that the made-up word doesn’t actually happen to be a realword.

-a <1 or 0> If the -aswitch is used to set the algorithm to 1, the S/N/C/L

switches will be used to change the type of password generated. The default is 0, which produces a pronounceable password.

-n <number-to-generate> The number of passwords to generate.

-m<minimum-length> Minimum password length.

-x <maximum-length> Maximum password length.

-s Prompt the user for a random seed that will be used in the pass- word generation.

-c<seed-number> Specify a seed on the command line.

Linux User Security

PARTII

176

For example, to generate 10 passwords with a minimum length of 5 characters and a maximum length of 15 characters, you can use apg -n 10 -m 5 -x 15:

[root@pointy apg-1.1.61b]# apg -n 10 -m 5 -x 15 ByekFeymu (Byek-Feym-u) dytricAnvemOgu (dyt-ric-An-vem-Og-u) TekjegNimijyuth (Tek-jeg-Nim-ij-yuth) Swerd7 (Swerd-7) WapeidVosyu (Wap-eid-Vos-yu) gimVug (gim-Vug) Kryofiruks (Kryof-ir-uks) Hygavathy (Hyg-av-ath-y) abquagNeuvayg (ab-quag-Neuv-ayg) NephNubDyophpac (Neph-Nub-Dyoph-pac)

Sure enough, ten passwords are generated. As you can see, they’re not quite words, but they are separated into syllables that you stand a chance of remembering. This is a good way to come up with usable passwords if you’ve exhausted the names of all your favorite movies and the digits in your phone number.

Password Management with Gpasman

When you’ve developed a password strategy for yourself and have stopped using the same password everywhere, you’ll discover that suddenly you have quite a bit to keep track of. Again, computer software has kept up with the needs of the user. Several Linux password man- agement tools are available, that, with a single password, can unlock an encrypted list of all the passwords you need to access all your files, servers, and so on.

A simple management tool based on the GTK toolkit is Gpasman. This software runs within an X Window System interface and does nothing more than maintain a password list. The list itself is encrypted using the RC2 algorithm. The beauty of this system is that you have to remember just a single password to access all your private information. The bad news is that an attacker needs to crack only a single password to access the same information.

You can download the Gpasmansource code from http://gpasman.nl.linux.org/. As always, the first step in installing Gpasmanis to uncompress and unarchive using tar zxf:

[root@pointy passwd]# tar zxf gpasman-1.3.0.tar.gz

Next, run the configuration script to ready the software for compilation: [root@pointy passwd]# cd gpasman-1.3.0

[root@pointy gpasman-1.3.0]# ./configure creating cache ./config.cache

checking for gcc... gcc Password Attacks CHAPTER5 177

5